All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2 0/3] boot: fit: authenticate the dm-verity roothash
@ 2026-07-14  2:33 Daniel Golle
  2026-07-14  2:33 ` [PATCH v2 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Daniel Golle @ 2026-07-14  2:33 UTC (permalink / raw)
  To: Tom Rini, Simon Glass, Daniel Golle, Ludwig Nussel, Anton Ivanov,
	Marek Vasut, Neil Armstrong, Quentin Schulz, Jonas Karlman,
	Randolph Sapp, Wolfgang Wallner, Francois Berder, u-boot

A signed FIT configuration can delegate the integrity of a (potentially
large) root filesystem image to the kernel's dm-verity instead of having
U-Boot hash the whole payload at boot: the FIT carries a "dm-verity"
subnode with the roothash, salt and block parameters, U-Boot passes the
roothash to Linux through the dm-mod.create bootargs, and dm-verity then
validates the filesystem block by block against it.

For that to be safe the roothash has to be trusted, and in a signed
configuration the only thing that establishes trust is the configuration
signature. The roothash was not covered by it. fit_config_add_hash()
collected the image node, its hash subnodes and its cipher subnode into
the signed region, but not the dm-verity subnode, so the roothash, the
sole integrity anchor for the filesystem, was left unsigned.

The result is a verified-boot bypass for the root filesystem: an
attacker who can rewrite the boot medium can replace the filesystem,
recompute a matching dm-verity tree, write the new roothash into the
unsigned dm-verity subnode, and the configuration signature still
verifies. dm-verity then faithfully validates the malicious filesystem
against the attacker's roothash.

This series closes the gap.

v2: address comments by Tom Rini
 * drop the VISIBLE_IF_UT visibility macro; fit_config_get_signed_nodes()
   is now simply non-static (previously the function would end up being
   inlined, so there *is* a real cost to this)
 * document test_fit_verity_sign.py with pydoc docstrings including an
   ITS example, and add a page under doc/develop/pytest/ so the module
   is rendered in the generated documentation
 * collect Reviewed-by tags on patches 1 and 2

Daniel Golle (3):
  boot: fit: factor out node-path collection in fit_config_add_hash()
  boot: fit: cover the dm-verity roothash with the config signature
  test: fit: verify dm-verity roothash is covered by the config
    signature

 boot/image-fit-sig.c                        | 108 +++++++----
 doc/develop/pytest/test_fit_verity_sign.rst |  10 +
 include/image.h                             |  23 +++
 test/boot/fit_verity.c                      | 194 +++++++++++++++++++
 test/py/tests/test_fit_verity_sign.py       | 202 ++++++++++++++++++++
 tools/image-host.c                          |  22 +++
 6 files changed, 520 insertions(+), 39 deletions(-)
 create mode 100644 doc/develop/pytest/test_fit_verity_sign.rst
 create mode 100644 test/py/tests/test_fit_verity_sign.py


base-commit: 6741b0dfb41dc82a284ab1cff4c58af6ef2f3f9c
-- 
2.55.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-07-14  2:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-14  2:33 [PATCH v2 0/3] boot: fit: authenticate the dm-verity roothash Daniel Golle
2026-07-14  2:33 ` [PATCH v2 1/3] boot: fit: factor out node-path collection in fit_config_add_hash() Daniel Golle
2026-07-14  2:33 ` [PATCH v2 2/3] boot: fit: cover the dm-verity roothash with the config signature Daniel Golle
2026-07-14  2:35 ` [PATCH v2 3/3] test: fit: verify dm-verity roothash is covered by " Daniel Golle

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.